How can I configure a Site-to-Site VPN connection with dynamic routing between AWS and Microsoft Azure?

Resolution

Note: For more information on optimizing performance, see AWS Site-to-Site VPN, choosing the right options to optimize performance.

Prerequisites

Before configuring your connection, check the following:

• Make sure that you have an Amazon Virtual Private Cloud (Amazon VPC) CIDR associated to a virtual private gateway or attached to a transit gateway. 
• Make sure that the Amazon VPC CIDR doesn't overlap with the Microsoft Azure network CIDR.

AWS configuration

1.    Create a customer gateway.

2.    Verify the Autonomous System Number (ASN). You can add your own, or use the default option (65000). If you choose the default, then AWS provides an ASN for your customer gateway.

3.    For Customer Gateway IP address, enter the Microsoft Azure public IP address. You're given this address when you configure the virtual network gateway in the Microsoft Azure portal. Refer to step 2 of the Microsoft Azure Configuration section in this article for more information.

4.    Create an AWS Site-to-Site VPN.

5.    Choose an address from the Microsoft Azure reserved APIPA address range for your Site-to-Site VPN. This is necessary because you're setting up BGP Site-to-Site VPN for Microsoft Azure and because AWS Site-to-Site VPN devices use APIPA addresses for BGP. This range is from 169.254.21.0 to 169.254.22.255 for tunnels inside the IPv4 CIDR address. See the following example:

Example address: 169.254.21.0/30   

BGP IP address (AWS): 169.254.21.1

BGP Peer IP address (Microsoft Azure): 169.254.21.2

6.    For Gateway, choose either the virtual private gateway or transit gateway, and then for Routing options, choose Dynamic.

7.    Choose your VPN ID, and then for Vendor choose Generic. 

8.    Download the AWS configuration file.

If you're building a Site-to-Site VPN connection to a transit gateway, then make sure that you have the correct transit gateway attachments. Do this for both the Amazon VPC and your Site-to-Site VPN. Also, turn on route propagation. Initially, only the Amazon VPC routes are propagated. The Microsoft Azure virtual network CIDR isn't propagated in the transit gateway route tables until BGP is established.

Microsoft Azure configuration

1.    Follow the instructions on the Microsoft website to create a virtual network in Microsoft Azure.

2.    Follow the instructions on the Microsoft website to create a virtual network gateway with a public IP address assigned to it. Use the following details:

Region: Choose the region that you want to deploy the virtual network gateway in.

Gateway type: VPN

VPN Type: Route-based

SKU: Choose the SKU that meets your requirements for workloads, throughputs, features, and SLAs.

Virtual Network: A virtual network is associated with your virtual network gateway (similar to a VPC in the AWS environment).

Enable active-active mode: Choose Disabled. This creates a new public IP address that's used as the customer gateway IP address in the AWS Management Console.

Configure BGP: Choose Enabled.

Custom Azure APIPA BGP IP address: (169.254.21.2).

Note: The ASN that you specify for the virtual network gateway must be the same as the customer gateway ASN in the AWS Management Console (65000).

3.    Follow the instructions on the Microsoft website to create a local network gateway. Use the following details:

IP Address: Enter the public IP address of Tunnel 1 that you received when you created AWS Site-to-Site VPN. You can view this in the configuration file that you downloaded from the AWS Management Console.

Address space: Enter the Amazon VPC CIDR block.

Autonomous System Number (ASN): Enter AWS ASN.

BGP peer IP address: Enter the AWS BGP IP (As seen in step 5 of AWS configuration).

4.    Follow the instructions on the Microsoft website to create a Site-to-Site VPN connection in the Microsoft Azure portal with BGP turned on. 

Note: The cryptographic algorithms and PSK are the same on both the Microsoft Azure side and the AWS side.

Phase 1 (IKE):

    Encryption: AES56  
    Authentication: SHA256  
    DH Group: 14

Phase 2 (IPSEC):

    Encryption: AES256  
    Authentication: SHA256  
    DH Group: 14 _(PFS2048)_ Diffie-Hellmen Group used in Quick Mode or Phase 2 is the PFS Group specified in Azure.   
    Lifetime: 3600s (Default on Azure portal is set to 27000s. AWS supports maximum of 3600s for IPSEC lifetime)

Set up Active/Active BGP failover with AWS Site-to-Site VPN between AWS and Microsoft Azure

1.    Follow the instructions on the Microsoft website to create a virtual network gateway. For Enable active-active mode, choose Enabled. This provides two public IP addresses.

2.    Open the AWS Site-to-Site VPN console. Use the two public IP addresses from the Microsoft Azure portal for the virtual network gateway to create two customer gateways. Use the following details:

IP address: Enter the Azure public node 1 IP address for the first customer gateway and Azure public node 2 IP address for the second customer gateway.

BGP ASN: Enter the ASN that you configured on the Microsoft Azure side.

Routing type: Choose Dynamic.

3.    In the AWS Management Console, create two Site-to-Site VPN connections that connect to either a virtual private gateway or a transit gateway. For Tunnel 1 of both Site-to-Site VPN connections, enter the following for the BGP peer IP address:

Site-to-Site VPN 1: 169.254.21.0/30

Site-to-Site VPN 2: 169.254.22.0/30

The first IP address inside the IP /30 address is assigned to the AWS Site-to-Site VPN BGP IP address (169.254.21.1 or 69.254.22.1), and the second is assigned to the Microsoft Azure BGP IP (169.254.21.2 or 69.254.22.2).

4.     Using the Microsoft Azure portal, create two Microsoft Azure local network gateways. For the IP addresses, use the Tunnel 1 public IP addresses from your AWS Site-to-Site VPN tunnels. Also, make sure that the ASN matches the virtual private gateway or transit gateway.

5.    Using the Microsoft Azure portal, create two Microsoft Azure Site-to-Site VPN connections. Make sure that each connection has a Microsoft Azure virtual network gateway pointing towards the local network gateways that you created in the previous step.

Turn on Transit gateway ECMP Support

For an Active/Active setup, where two Site-to-Site VPN connections terminate on transit gateways, both Site-to-Site VPNs have a single tunnel configured. So, there are two active Site-to-Site VPN tunnels out of a possible four. When the transit gateway has ECMP Support turned on, traffic can be load balanced across both Site-to-Site VPN connections. If one Site-to-Site VPN connection goes into the DOWN status, then failover to the redundant link happens automatically through BGP.

Verify VPN Connection State

1. After your Site-to-Site VPN configuration is established, check that the VPN Tunnel State is in the UP status. To do this, choose the Tunnel Details tab on the Site-to-Site VPN console.
2. On the Microsoft Azure portal, verify the VPN connection. Confirm that the status is Succeeded, and then changes to Connected when you made a successful connection.
3. Create an Amazon Elastic Compute Cloud (Amazon EC2) instance in your Amazon VPC to verify the connectivity between AWS and Microsoft Azure. Then, follow the instructions on the Microsoft website to connect to the Microsoft Azure VM private IP address and confirm that the Site-to-Site VPN connection is established.

For more information, see Testing the Site-to-Site VPN connection and How do

I check the current status of my VPN tunnel?